Upload
ngocong
View
213
Download
0
Embed Size (px)
Citation preview
Official Audit Report – Issued September 30, 2015
Civil Service Commission—Examination of Annual Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014
State House Room 230 Boston, MA 02133 [email protected] www.mass.gov/auditor
September 30, 2015 Mr. Christopher C. Bowman, Chair Civil Service Commission One Ashburton Place, Room 503 Boston, MA 02108 Dear Chairman Bowman: I am pleased to provide this limited-scope performance audit of the Civil Service Commission. This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2013 through June 30, 2014. My audit staff discussed the contents of this report with management of the agency, whose comments are reflected in this report. I would also like to express my appreciation to the Civil Service Commission for the cooperation and assistance provided to my staff during the audit. Sincerely, Suzanne M. Bump Auditor of the Commonwealth
Audit No. 2015-1378-3S Civil Service Commission Table of Contents
i
TABLE OF CONTENTS
EXECUTIVE SUMMARY ........................................................................................................................................... 1
OVERVIEW OF AUDITED ENTITY ............................................................................................................................. 2
AUDIT OBJECTIVES, SCOPE, AND METHODOLOGY ................................................................................................. 3
DETAILED AUDIT FINDINGS WITH AUDITEE’S RESPONSE ........................................................................................ 7
1. Information reported regarding internal controls was inaccurate or unsupported by documentation. ...... 7
a. Contrary to what its ICQ indicated, CSC’s ICP was not based on guidelines issued by OSC. ..................... 7
b. Contrary to what its ICQ indicated, CSC’s response was inaccurate with regard to capital assets with a useful life of more than one year. ........................................................................................................... 8
c. Contrary to what its ICQ indicated, CSC had not performed and documented an annual physical inventory of capital assets. ..................................................................................................................... 8
d. Contrary to what its ICQ indicated, CSC did not have procedures encompassing all phases of the inventory process. .................................................................................................................................. 8
OTHER MATTERS ................................................................................................................................................. 11
APPENDIX A ......................................................................................................................................................... 12
APPENDIX B ......................................................................................................................................................... 14
Audit No. 2015-1378-3S Civil Service Commission List of Abbreviations
ii
LIST OF ABBREVIATIONS
COSO Committee of Sponsoring Organizations of the Treadway Commission CSC Civil Service Commission EOAF Executive Office for Administration and Finance ERM enterprise risk management GAAP generally accepted accounting principles ICP internal control plan ICQ Internal Control Questionnaire IT information technology MMARS Massachusetts Management Accounting and Reporting System OSA Office of the State Auditor OSC Office of the State Comptroller PII personally identifiable information
Audit No. 2015-1378-3S Civil Service Commission Executive Summary
1
EXECUTIVE SUMMARY
Each year, the Office of the State Comptroller (OSC) issues a memorandum (Fiscal Year Update) to internal
control officers, single audit liaisons, and chief fiscal officers instructing departments to complete an
Internal Control Questionnaire (ICQ) designed to provide an indication of the effectiveness of the
Commonwealth’s internal controls. In the Representations section of the questionnaire, the department
head, chief fiscal officer, and internal control officer confirm that the information entered in the
questionnaire is accurate and approved.
In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, the Office of the State
Auditor has conducted a limited-scope performance audit of certain information reported in the Civil
Service Commission’s (CSC’s) ICQ for the period July 1, 2013 through June 30, 2014. The objective of our
audit was to determine whether certain responses that CSC provided to OSC in its fiscal year 2014 ICQ
were accurate.
Below is a summary of our finding and our recommendations, with links to each page listed.
Finding 1 Page 7
CSC’s 2014 ICQ had inaccurate responses on the subjects of its internal control plan (ICP), capital-asset inventory, and inventory procedures.
Recommendations Page 10
1. CSC should take the measures necessary to address the issues we identified during our audit and should ensure that it adheres to all of OSC’s requirements for developing an ICP and accurately reporting information about its ICP, capital assets, annual physical inventory, and inventory procedures in its ICQ.
2. If necessary, CSC should request guidance from OSC on these matters.
Audit No. 2015-1378-3S Civil Service Commission Overview of Audited Entity
2
OVERVIEW OF AUDITED ENTITY
The Civil Service Commission (CSC) is a quasi-judicial agency established under Chapter 7, Section 4I, of
the Massachusetts General Laws. It hears and decides appeals of public employees and job applicants
protected by Massachusetts civil-service law (Chapter 31 of the General Laws) and is charged with
ensuring fair and impartial treatment.
CSC has a five-member appellate board whose members are appointed by the Governor to staggered five-
year terms. CSC’s powers and duties are detailed in Chapter 31, Section 2, of the General Laws.
During our audit period, CSC had a staff of four full-time employees and two part-time employees and a
fiscal year budget of $436,000. The commission is located at One Ashburton Place in Boston.
Audit No. 2015-1378-3S Civil Service Commission Audit Objectives, Scope, and Methodology
3
AUDIT OBJECTIVES, SCOPE, AND METHODOLOGY
In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, the Office of the State
Auditor (OSA) has conducted a limited-scope performance audit of certain information reported in the
Civil Service Commission’s (CSC’s) Internal Control Questionnaire (ICQ)1 for the period July 1, 2013 through
June 30, 2014.
We conducted this limited-scope performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
The overall objective of our audit was to determine whether CSC accurately reported certain information
about its overall internal control system to the Office of the State Comptroller (OSC) in its 2014 ICQ.
Accordingly, our audit focused solely on reviewing and corroborating CSC’s responses to specific questions
pertaining to ICQ sections that we determined to be significant to the agency’s overall internal control
system. Below is a list of the relevant areas, indicating the conclusion we reached regarding each objective
and, if applicable, where each objective is discussed in this report.
Objective Conclusion
1. In its 2014 ICQ, did CSC give accurate responses in the following areas?
a. internal control plan (ICP) No; see Finding 1a
b. capital-asset inventory, for both generally accepted accounting principles (GAAP) and non-GAAP assets
No; see Findings 1b, 1c, and 1d
c. personally identifiable information (PII) Yes
d. audits and findings (reporting variances, losses, shortages, or thefts of funds or property immediately to OSA; see Appendix A)
Yes
1. Each year, OSC issues a memo (Fiscal Year Update) to internal control officers, single audit liaisons, and chief fiscal officers
instructing departments to complete an Internal Control Questionnaire designed to provide an indication of the effectiveness of the Commonwealth’s internal controls. In the Representations section of the questionnaire, the department head, chief fiscal officer, and internal control officer confirm that the information entered in the questionnaire is accurate and approved.
Audit No. 2015-1378-3S Civil Service Commission Audit Objectives, Scope, and Methodology
4
Our analysis of the information in the ICQ was limited to determining whether agency documentation
adequately supported selected responses submitted by CSC in its ICQ for the audit period; it was not
designed to detect all weaknesses in the agency’s internal control system or all instances of inaccurate
information reported by CSC in the ICQ. Further, our audit did not include tests of internal controls to
determine their effectiveness as part of audit risk assessment procedures, because in our judgment, such
testing was not significant within the context of our audit objectives or necessary to determine the
accuracy and reliability of ICQ responses. Our understanding of internal controls and management
activities at CSC was based on our interviews and document reviews. Our audit was limited to what we
considered appropriate when determining the cause of inaccurate ICQ responses.
In order to achieve our objectives, we performed the following audit procedures:
We reviewed the instructions for completing the fiscal year 2014 ICQ distributed by OSC to all state departments (Appendix B).
We reviewed the September 2007 version of the OSC Internal Control Guide (the version effective during the audit period) to obtain an understanding of the requirements for preparing an ICP.
We reviewed Chapter 93H, Section 3, of the General Laws, and Massachusetts Executive Order 504, to obtain an understanding of the requirements pertaining to the safeguarding and security of confidential and personal information and to providing notification of breaches to appropriate parties.
We reviewed Chapter 93I of the General Laws to obtain an understanding of the requirements pertaining to the disposal and destruction of electronic and hardcopy data records.
We interviewed the director of OSC’s Quality Assurance Bureau to obtain an understanding of OSC’s role in the ICQ process and to obtain and review any departmental quality assurance reviews2 conducted by OSC for CSC.
We interviewed CSC’s chairman to gain an understanding of CSC’s ICQ process, and we requested and obtained documentation to support the responses on the ICQ for the 12 questions we selected for review.
We interviewed CSC’s chairman to ask whether CSC had any instances of variances, losses, shortages, or thefts of funds or property to determine compliance with Chapter 647 of the Acts of 1989’s requirement of reporting to OSA.
2. According to OSC, the primary objective of the quality assurance reviews is to validate (through examination of transactions,
supporting referenced documentation, and query results) that internal controls provide reasonable assurance that Commonwealth departments adhere to Massachusetts finance law and the policies and procedures issued by OSC. The quality assurance review encompasses the following areas: internal controls, security, employee and payroll status, and various accounting transactions. The internal control review determines whether the department has a readily available updated ICP.
Audit No. 2015-1378-3S Civil Service Commission Audit Objectives, Scope, and Methodology
5
We reviewed the fiscal year 2014 ICQ and selected questions pertaining to (1) the ICP, (2) Chapter 647 requirements, (3) capital-asset inventory (GAAP and non-GAAP), and (4) PII. We selected these areas using a risk-based approach and prior OSA reports that noted inconsistencies with departmental supporting documentation and agency ICQ responses submitted to OSC. Accordingly, we selected the following ICQ questions:
Does the department have an ICP that documents its internal control systems, procedures, and operating cycles, covering the objectives of all department activity?
Is the ICP based on the guidelines issued by OSC?
Has the department conducted an organization-wide risk assessment that includes the risk of fraud?
Has the department updated its ICP within the past year?
Does the department require that all instances of unaccounted-for variances, losses, shortages, or thefts of funds be immediately reported to OSA?
Does the department have singular tangible and/or intangible capital assets with a useful life of more than one year?
Does the department take an annual physical inventory of tangible and intangible capital assets, including additions, disposals, and assets no longer in service?
Are there procedures that encompass all phases of the inventory process—acquisition, recording, tagging, assignment/custody, monitoring, replacement, and disposal—as well as the assignment of the roles of responsibility to personnel?
Are information system and data security policies included as part of the department’s internal controls?
Is the department complying with Chapter 93H, Section 3, of the General Laws, and Executive Order 504, regarding notification of data breaches?
Are stored personal data, both electronic and hardcopy, secured and properly disposed of in accordance with Chapter 93I of the General Laws and in compliance with the Secretary of State’s record-conservation requirements?
Are sensitive data, as defined in law and policy, secured and restricted to access for job-related purposes?
To determine whether the responses that CSC provided to OSC for the above 12 questions were accurate,
we performed the following procedures:
We requested and reviewed the CSC ICP to determine whether it complied with OSC requirements.
We requested and reviewed any department-wide risk assessments conducted by CSC.
Audit No. 2015-1378-3S Civil Service Commission Audit Objectives, Scope, and Methodology
6
We conducted interviews with CSC’s chairman to determine the procedures used to prepare and update the ICP and conduct an annual physical capital-asset inventory.
We requested and reviewed CSC’s policies and procedures for PII to determine whether policies were in place and addressed the provisions of (1) Chapter 93H, Section 3, of the General Laws, and Executive Order 504, regarding notification of data breaches and (2) Chapter 93I of the General Laws regarding storing electronic and hardcopy personal data.
We requested documentation for the last annual physical inventory conducted by CSC.
We requested and reviewed all documentation available to support CSC’s certification of the accuracy of its responses on the fiscal year 2014 ICQ.
In addition, we assessed the data reliability of OSC’s PartnerNet, the electronic data source used for our
analysis, by extracting copies of the ICQ using our secured system access and comparing their data to the
ICQ data on the source-copy ICQ on file at CSC during our subsequent interviews with management. ICQ
questions are answered entirely with a “Yes,” “No,” or “N/A” checkmark. By tracing the extracted data to
the source documents, we determined that the information was accurate, complete, and sufficiently
reliable for the purposes of this audit.
Audit No. 2015-1378-3S Civil Service Commission Detailed Audit Findings with Auditee’s Response
7
DETAILED AUDIT FINDINGS WITH AUDITEE’S RESPONSE
1. Information reported regarding internal controls was inaccurate or unsupported by documentation.
Some of the information that the Civil Service Commission (CSC) reported in its Internal Control
Questionnaire (ICQ) to the Office of the State Comptroller (OSC) for fiscal year 2014 was inaccurate or not
supported by documentation. Specifically, although CSC indicated that it was complying with OSC
guidelines in all of the areas we reviewed, its internal control plan (ICP) had not documented one of the
eight components of enterprise risk management (ERM) required in guidelines issued by OSC, it
inaccurately disclosed that it held capital assets subject to OSC’s Accounting and Management Policy and
Fixed Assets—Acquisition Policy, it could not provide documentation that it had performed an annual
physical inventory of its capital assets, and it did not have procedures encompassing all phases of the
inventory process.
Without establishing an ICP in accordance with OSC guidelines, CSC may not be able to achieve its mission
and objectives effectively; efficiently; and in compliance with applicable laws, rules, and regulations.
Further, inaccurate information on the ICQ prevents OSC from effectively assessing the adequacy of CSC’s
internal control system for the purpose of financial reporting. Finally, without performing and
documenting an annual physical inventory or establishing procedures that encompass all phases of the
inventory process, CSC is not ensuring that its capital assets are properly safeguarded against loss, theft,
or misuse and that its inventory records are complete and accurate.
The problems we found are detailed in the sections below.
a. Contrary to what its ICQ indicated, CSC’s ICP was not based on guidelines issued by OSC.
In the Internal Control Plans section of the fiscal year 2014 ICQ, departments were asked, “Is the
internal control plan based on guidelines issued by the Comptroller’s Office?” In its ICQ, CSC answered
“yes,” but its ICP was not fully compliant with the guidelines in OSC’s Internal Control Guide.
Specifically, although CSC’s ICP identified seven of the eight ERM components, it did not adequately
identify or discuss the Internal Environment component.
Audit No. 2015-1378-3S Civil Service Commission Detailed Audit Findings with Auditee’s Response
8
b. CSC’s response was inaccurate with regard to capital assets with a useful life of more than one year.
In the Capital Assets Inventory (GAAP and Non-GAAP) section of the fiscal year 2014 ICQ, departments
were asked, “Does the department have singular tangible and/or intangible capital assets with a
useful life of more than one year?” 3 In its ICQ, CSC answered “yes,” but CSC’s chairman told us that
the commission did not have any generally accepted accounting principles (GAAP) or non-GAAP
capital assets. Further, although they were outside our audit period, we noted that in its ICQs for fiscal
years 2011 and 2013, CSC answered “yes” to this question, whereas in its fiscal year 2012 ICQ, it
answered “no” to the same question.
c. Contrary to what its ICQ indicated, CSC had not performed and documented an annual physical inventory of capital assets.
In the Capital Assets Inventory (GAAP and Non-GAAP) section of the fiscal year 2014 ICQ, departments
were asked, “Does the Department take an annual physical inventory of tangible and/or intangible
capital assets including additions, disposals and assets no longer in service?” In its ICQ, CSC answered
“yes,” but it had not conducted an annual physical inventory of its tangible and intangible capital
assets that included additions, disposals, and assets no longer in service. Moreover, although they
were outside our audit period, we noted that in its ICQs for fiscal years 2011, 2012, and 2013, CSC
answered “yes” to this question despite not having conducted annual physical inventories.
d. Contrary to what its ICQ indicated, CSC did not have procedures encompassing all phases of the inventory process.
In the Capital Assets Inventory (GAAP and Non-GAAP) section of the fiscal year 2014 ICQ, departments
were asked “Are there procedures that encompass all phases of the inventory process: acquisition,
recording, tagging, assignment/custody, monitoring, replacement and disposal, as well as the
assignment of the roles of responsibilities to personnel?” In its ICQ, CSC answered “yes,” but it had
not established and implemented formal written policies and procedures for managing its capital-
asset inventory. Though it was outside our audit period, we also noted that CSC also responded “yes”
to the question in fiscal year 2013, the first year the question was included in the ICQ.
3. OSC’s Fixed Assets—Acquisition Policy defines GAAP and non-GAAP assets as singular capital assets with a useful life of more
than one year and a value equal to or above $1,000.
Audit No. 2015-1378-3S Civil Service Commission Detailed Audit Findings with Auditee’s Response
9
Authoritative Guidance
The ICQ is a document designed by OSC that is sent to departments each year requesting information and
department representations on their internal controls over 12 areas: management oversight, accounting
system controls, budget controls, revenue, procurement and contract management, invoices and
payments, payroll and personnel, investments held by the Commonwealth, material and supply inventory,
capital-asset inventory, federal funds, and information-technology security and personal data. The
purpose of the ICQ is to provide an indication of the effectiveness of the Commonwealth’s internal
controls. External auditors use department ICP and ICQ responses, along with other procedures, to render
an opinion on the internal controls of the Commonwealth as a whole.
In its document Enterprise Risk Management—Integrated Framework, or COSO II, the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as “a process, effected by the
entity’s board of directors, management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and manage the risks to be
within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
To comply with OSC’s internal control guidelines, an ICP must contain information on the eight
components of ERM: Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk
Response, Control Activities, Information and Communication, and Monitoring. COSO guidance states that
all components of an internal control system must be present and functioning properly and operating
together in an integrated manner in order to be effective.
OSC’s Accounting and Management Policy and Fixed Assets—Acquisition Policy require that an annual
inventory of each department’s fixed assets, both GAAP and non-GAAP, be performed each year.
Reasons for Inaccurate or Unsupported Information
According to CSC’s chairman, the omission of the Internal Environment component of ERM was caused by
an administrative oversight. In addition, the chairman stated that in responding to the Capital Assets
Inventory (GAAP and Non-GAAP) questions, he had mistakenly assumed that CSC had singular capital
assets worth $1,000 or more that would be subject to an annual inventory and reconciliation in
accordance with OSC’s capital-asset policies. He also stated that an annual physical inventory had been
performed via a visual inspection of assets, but not documented, and that by including sections on Chapter
Audit No. 2015-1378-3S Civil Service Commission Detailed Audit Findings with Auditee’s Response
10
647 of the Acts of 1989 and obsolete and nonfunctional equipment in the ICP, he had established
adequate inventory procedures.
Recommendations
1. CSC should take the measures necessary to address the issues we identified during our audit and should ensure that it adheres to all of OSC’s requirements for developing an ICP and accurately reporting information about its ICP, capital assets, annual physical inventory, and inventory procedures in its ICQ.
2. If necessary, CSC should request guidance from OSC on these matters.
Auditee’s Response
We will incorporate all of the recommendations listed into our existing Internal Control Plan (ICP)
and office procedures.
Despite budget constraints that have left the Civil Commission with only four (4) full-time
employees, we have met or exceeded our goals and objectives, reducing the pending inventory of
total appeals from approximately 900 in 2006 to approximately 100 as of the time of this audit.
The number of appeals pending for more than 12 months was reduced from 550 to 25 during this
same time period. We met these milestones through a series of administrative reforms, including
moving to a digital recording system that allows us to process appeals in a more efficient manner.
These digital recorders are our most valuable assets. Although the singular cost for each of the
five (5) recorders is just under $1,000, we have treated them as if they were non-GAAP capital
assets, and maintained a rigorous inventory control for tracking, securing and recordkeeping for
these assets on a daily basis. Consistent with the auditors’ recommendations, however, we will no
longer deem these recorders as capital assets when completing the annual Internal Control
Questionnaire (ICQ). We will, however, continue our existing inventory control system for these
assets. This will effectively address two (2) of the four (4) findings in the audit.
Upon review, we concur that our existing ICP only identified seven (7) of the eight (8) enterprise
risk management (ERM) components. The ICP will be updated to incorporate the eighth component
listed in the audit.
Finally, although the Commission does not anticipate purchasing anything that meets the definition
of a capital asset, we concur with the recommendation that we should still adopt formal written
policies and procedures for managing a capital asset inventory, in the event that circumstances
change and capital assets are purchased sometime in the future.
Auditor’s Reply
Based on its response, we believe that CSC is taking appropriate measures to address the concerns we
identified.
Audit No. 2015-1378-3S Civil Service Commission Other Matters
11
OTHER MATTERS
On May 9, 2011, the Governor issued Executive Order No. 532. This order superseded Executive Order
510, which transferred the responsibility for accounting for the information technology (IT) assets of
executive departments, including the Civil Service Commission (CSC), to the Executive Office for
Administration and Finance (EOAF). One of EOAF’s responsibilities under both orders was to perform
annual physical inventories of CSC’s IT assets in accordance with the state Information Technology
Division’s Enterprise IT Asset and Risk Management Policy, dated March 6, 2014. This policy states,
“Secretariats and their respective agencies are required to . . . annually conduct a physical audit of IT
assets and reconcile the audit with the IT asset inventory. Agencies must investigate and resolve
discrepancies between the physical audit of IT assets and the IT asset inventory.”
As part of our current audit, we inquired whether an annual physical inventory of CSC’s IT assets had been
conducted. CSC personnel told us that they were uncertain whether EOAF had conducted its annual
physical inventory for fiscal year 2014. Moreover, we determined that certain CSC capital assets with a
historical cost totaling $34,287, which were fully depreciated and no longer in CSC’s possession, had not
been removed from the Fixed Asset Subsystem within the Commonwealth’s Massachusetts Management
Accounting and Reporting System (MMARS). The assets were a telephone system and related accessories
that were purchased on June 30, 1997 for $15,796 and computer central processing units that were
purchased on June 1, 1987 for $18,491.
If CSC had performed the OSC-required capital-asset reconciliation, comparing the records in the MMARS
Fixed Asset Subsystem to internal inventory records maintained by either EOAF or CSC, it would have
identified these assets as items that should be deleted from the Fixed Asset Subsystem.
Although this matter was outside the scope of this audit, we discussed this issue with EOAF’s bureau chief
of Technical Services, who is responsible for the management of IT assets for departments under EOAF.
He stated that because of limited resources and time constraints, no physical inventory had been
conducted, but corrective action would be taken to ensure annual physical inventories of CSC’s IT assets.
Audit No. 2015-1378-3S Civil Service Commission Appendix A
12
APPENDIX A
Chapter 647 of the Acts of 1989 An Act Relative to Improving the Internal Controls within State Agencies
Notwithstanding any general or special law to the contrary, the following internal control standards
shall define the minimum level of quality acceptable for internal control systems in operation
throughout the various state agencies and departments and shall constitute the criteria against
which such internal control systems will be evaluated. Internal control systems for the various state
agencies and departments of the commonwealth shall be developed in accordance with internal
control guidelines established by the office of the comptroller.
(A) Internal control systems of the agency are to be clearly documented and readily available for
examination. Objectives for each of these standards are to be identified or developed for each
agency activity and are to be logical; applicable and complete. Documentation of the agency's
internal control systems should include (1) internal control procedures, (2) internal control
accountability systems and (3), identification of the operating cycles. Documentation of the
agency's internal control systems should appear in management directives, administrative
policy, and accounting policies, procedures and manuals.
(B) All transactions and other significant events are to be promptly recorded, clearly documented
and properly classified. Documentation of a transaction or event should include the entire
process or life cycle of the transaction or event, including (1) the initiation or authorization of
the transaction or event, (2) all aspects of the transaction while in process and (3), the final
classification in summary records.
(C) Transactions and other significant events are to be authorized and executed only by persons
acting within the scope of their authority. Authorizations should be clearly communicated to
managers and employees and should include the specific conditions and terms under which
authorizations are to be made.
(D) Key duties and responsibilities including (1) authorizing, approving, and recording transactions,
(2) issuing and receiving assets, (3) making payments and (4), reviewing or auditing
transactions, should be assigned systematically to a number of individuals to insure that
effective checks and balances exist.
(E) Qualified and continuous supervision is to be provided to ensure that internal control objectives
are achieved. The duties of the supervisor in carrying out this responsibility shall include (1)
clearly communicating the duties, responsibilities and accountabilities assigned to each staff
member, (2) systematically reviewing each member's work to the extent necessary and (3),
approving work at critical points to ensure that work flows as intended.
(F) Access to resources and records is to be limited to authorized individuals as determined by the
agency head. Restrictions on access to resources will depend upon the vulnerability of the
resource and the perceived risk of loss, both of which shall be periodically assessed. The agency
head shall be responsible for maintaining accountability for the custody and use of resources
Audit No. 2015-1378-3S Civil Service Commission Appendix A
13
and shall assign qualified individuals for that purpose. Periodic comparison shall be made
between the resources and the recorded accountability of the resources to reduce the risk of
unauthorized use or loss and protect against waste and wrongful acts. The vulnerability and
value of the agency resources shall determine the frequency of this comparison.
Within each agency there shall be an official, equivalent in title or rank to an assistant or deputy
to the department head, whose responsibility, in addition to his regularly assigned duties, shall be
to ensure that the agency has written documentation of its internal accounting and administrative
control system on file. Said official shall, annually, or more often as conditions warrant, evaluate
the effectiveness of the agency's internal control system and establish and implement changes
necessary to ensure the continued integrity of the system. Said official shall in the performance of
his duties ensure that: (1) the documentation of all internal control systems is readily available for
examination by the comptroller, the secretary of administration and finance and the state auditor,
(2) the results of audits and recommendations to improve departmental internal controls are
promptly evaluated by the agency management, (3) timely and appropriate corrective actions are
effected by the agency management in response to an audit and (4), all actions determined by the
agency management as necessary to correct or otherwise resolve matters will be addressed by the
agency in their budgetary request to the general court.
All unaccounted for variances, losses, shortages or thefts of funds or property shall be immediately
reported to the state auditor's office, who shall review the matter to determine the amount involved
which shall be reported to appropriate management and law enforcement officials. Said auditor
shall also determine the internal control weakness that contributed to or caused the condition. Said
auditor shall then make recommendations to the agency official overseeing the internal control
system and other appropriate management officials. The recommendations of said auditor shall
address the correction of the conditions found and the necessary internal control policies and
procedures that must be modified. The agency oversight official and the appropriate management
officials shall immediately implement policies and procedures necessary to prevent a recurrence of
the problems identified.
Audit No. 2015-1378-3S Civil Service Commission Appendix B
14
APPENDIX B
Office of the State Comptroller’s Memorandum Internal Control Questionnaire and Department Representations